Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

Identifying, recording and managing risks

Your organisation has appropriate policies, procedures and measures to identify, record and manage information risks.

Ways to meet our expectations:

  • An information risk policy (either a separate document or part of a wider corporate risk policy) sets out how your organisation and its data processors manage information risk, and how you monitor compliance with the information risk policy.
  • You have a process to help staff report and escalate information governance or data protection concerns and risks to a central point, for example staff forums.
  • You identify and manage information risks in an appropriate risk register, which includes clear links between corporate and departmental risk registers and the risk assessment of information assets.
  • You have formal procedures to identify, record and manage risks associated with information assets in an information asset register.
  • If you identify information risks, you have appropriate action plans, progress reports and a consideration of the lessons learnt to avoid future risk.
  • You put in place measures to mitigate the risks identified within risk categories and you test these regularly to maintain effectiveness.

Can you answer yes to the following questions?

  • Do staff know how to report and escalate concerns and risks?
  • Could staff explain the links between the information risk register, the risk assessment of information assets, departmental risk registers and the corporate risk register?